D-Link IoT device security inadequate, according to FTC

The US Federal Trade Commission (FTC) is suing D-Link over claims the Taiwanese networking equipment manufacturer produced IoT devices with inadequate security.

D-Link, which is primarily known for its routers, was last week accused by the FTC of failing to take steps to secure its routers and Internet Protocol (IP) cameras from hackers targeting the Internet of Things (IoT). A problem which, the FTC says, has put thousands of customers at risk of losing sensitive data.

D-Link hit back with a statement saying the allegations are “vague and unsubstantiated” and that the complaint does not allege any breach of any product sold by D-Link Systems in the US.

D-Link on trial

In a complaint filed in the Northern District of California, the FTC charged that D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” However, the FTC believes D-Link failed to address well-known and easily preventable security flaws, such as:

“Hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;

A software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;

The mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months;

and leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

According to the complaint, hackers could exploit these vulnerabilities using any of several simple methods.

Easy to hack

The complaint is part of the FTC’s efforts to protect consumers’ privacy and security in IoT, which includes cases the agency has brought against ASUS, a computer hardware manufacturer, and TRENDnet, a marketer of video cameras.

In a statement, the FTC’s director of the Bureau of Consumer Protection, Jessica Rich, said: “Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information.

“When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

Sad truths

In emailed comments to Internet of Business, Simon Edwards, cyber-security expert at Trend Micro, was candid about the lack of security protection in IoT devices.

“Ever since the Mirai DDoS code was released back in September, the true extent of the vulnerabilities that exist in many IoT devices have been exposed,” he said. “For many years researchers have been warning of the risks that lie in simple internet connected devices like CCTV cameras, and even in the routers we all trust to protect our home connections.

“The sad truth is that these devices are rarely patched beyond their default configuration. How many of us can say for sure that our ISP is updating the router they supplied as part of our broadband connection?

“I believe that the U.S. Government in the form of the Federal Trade Commission is showing real leadership in taking these vendors to task, because sadly – but also ultimately – this may be the best way to try to fix what is a very large problem. As Mirai showed, 100,000s of devices can be infected in minutes and then they can be used to create a huge weapon capable of knocking any site, or even country, offline through a co-ordinated Distributed Denial of Service attack. And that’s before you have even started to consider the privacy issues of a compromised host.”